CVE-2026-21445

CRITICAL EXPLOITED NUCLEI

Langflow < 1.7.1 - Missing Authentication

Title source: rule

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Exploits (1)

nomisec SUSPICIOUS 1 stars

by chinaxploiter · poc

https://github.com/chinaxploiter/CVE-2026-21445-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

Langflow - Broken Access Control

CRITICALVERIFIEDby DhiyaneshDk

Shodan: html:"Langflow"

References (2)

[Patch] https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a

[Exploit, Vendor Advisory] https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx

Scores

CVSS v3 9.1

EPSS 0.0697

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

VulnCheck KEV 2026-04-09

CWE

CWE-306

Status published

Products (3)

langflow/langflow < 1.7.1

pypi/langflow 0 - 1.7.1PyPI

pypi/langflow-base 0 - 0.7.1PyPI

Published Jan 02, 2026

Tracked Since Feb 18, 2026